Of all the threats that could be stalking your business daily, it is most unpleasant to think about the fact that the biggest threat could already be inside your walls, maybe even on your payroll. Unfortunately there’s plenty of evidence to suggest that the biggest source and cause of security incidents is the humble employee.
The good news is that few of these incidents are deliberate attacks or frauds by your most trusted insiders. Instead they tend to be innocent mistakes which could easily be avoided but which are quickly taken advantage of by hackers.
Here are the top ten most common mistakes employees make that expose their workplaces:
- Falling for phishing emails that pretend to be an official request for something sensitive, like a password.
- Clicking on infected links or downloads in emails that hide malicious software.
- Falling for social engineering scams that trick users into giving away too much information, often to a phone caller.
- Visiting malicious websites without proper protection and so exposing their computers to malware on those sites.
- Poor password practices, from weak passwords to passwords not properly protected. Bad (or nonexistent) company password policy is usually the culprit here.
- Bringing bugs to work. Poor computer hygiene habits at home often result in infected laptops, tablets, or USB drives brought into the workplace.
- Keeping unprotected sensitive data on laptops and mobiles devices, especially company secrets and customer information, and then not guarding those devices.
- Careless surfing, especially using unprotected Wi-Fi in public places.
- Ignoring the security rules and policies, often because employees find them an obstacle to other things, annoying, or a waste of time.
- Not protecting access to customers and partners, as happened in the giant Target breach where the origins of the biggest breach in history were traced to a small HVAC vendor whose employees were fooled into revealing critical passwords that gave them unlimited access to Target’s networks.
Numerous studies over the last few years have found that most data and security breaches can be traced to the actions or failures of employees. Whether it’s not following the rules, not paying enough attention, or setting up computers or networks without security in mind, hackers won’t waste a second in pouncing on these vulnerabilities.
And unfortunately there’s no technology can fix this problem. But there are still things you can do to reduce the likelihood of employee mistakes:
- Talk to them, often. Sometimes it’s that simple – letting them know there are threats to the business that could also hurt jobs and that they as employees can make a real difference.
- Have them sign employee acceptable-use policies so not only do they understand the rules, they’re also agreeing to the consequences for failing to follow them.
- Train them. Pick half a dozen key topics, like data protection, passwords, and safe surfing, and find ways to remind all employees all the time about these issues.
- Test them. Crafting emails that look like phishing emails and that employees should recognize as such is a free way of determining if their awareness is really effective.
Remember, employees’ security awareness is not actually about awareness. It’s about being vigilant. That means being aware when it matters – before they create a weak password, before they click on an email attachment, before they respond to a hoax.